Enterprise & Teams
API Workbench Pro is single-browser today and built to stay zero-egress as it becomes a team product. Here is exactly what ships now, and what is on the roadmap — in plain future tense, never dressed up as live.
Most collaboration tools start with a cloud and bolt on security. We are doing the opposite: the entire workbench is offline-first and ships zero bytes of your API data to anyone. The multi-user concepts a team needs — roles, members, reviews, audit — are already modelled and enforced. What is left is shared state, and we are only willing to add it without breaking the promise that we cannot read your data.
So sync and SSO are on the roadmap below, in honest phases. None of it is live yet — where it says Roadmap, it means roadmap.
- Team — EU-hosted encrypted sync. Roadmap.Shared workspace, real members, merge engine.
- Enterprise — self-hosted Docker + SSO. Roadmap.Full data residency, OIDC then SAML.
Owner, editor, operator and viewer drive a real permission matrix — exports, approvals and production locks are already gated by it.
Members carry name, e-mail and role today. Inviting real identities is the only piece sync needs to add.
A full pending → approved / rejected workflow with reviewer roles and production locks — the governance multiple people will share.
Every governance action records an actor and role. When members are authenticated, the actor simply becomes the signed-in identity.
Counts above are live from this workspace. The four roles drive the permission matrix in src/lib/permissions.ts — try editing a production-locked mapping as a non-owner and watch it get denied and audited.
- Phase 0ShippedEncrypted workspace bundle — the wire format
Shipped today. The versioned, optionally AES-GCM-encrypted workspace bundle in Settings is the exact format team sync will move over the wire. Export it, commit it to git, hand it to a colleague — collaboration works now, asynchronously, with zero server.
- Full workspace as one portable, schema-validated bundle
- AES-256-GCM · PBKDF2-SHA-256 passphrase encryption (WebCrypto)
- Replace / merge import with conflict preview
- Phase 1Roadmap · In designEU-hosted encrypted sync service
A minimal sync API hosted in the EU (Hetzner / Scaleway) — or a self-hosted Docker container you run yourself. The server stores opaque encrypted blobs per entity collection and is designed to know nothing about their contents.
- push / pull endpoints over the existing bundle format
- Server stores ciphertext only — zero-knowledge by design
- Self-hosted Docker option for full data residency control
- Phase 2Roadmap · BuildingReal-time merge engine
A client-side sync engine that diffs by (entity type, id, updatedAt): last-write-wins for mutable entities, append-merge by id for audit, executions and run records. The createdAt / updatedAt stamps the workbench already records make this deterministic.
- Last-write-wins for APIs, mappings, scenarios
- Append-merge (union by id) for audit & run history
- Deterministic conflict resolution — no lost edits
- Phase 3Roadmap · ExploringEnd-to-end encryption & invited members
A team passphrase derives an AES-GCM workspace key in the browser; later, per-member key wrapping. Settings role impersonation is replaced by genuinely invited members (e-mail + role) on the WorkspaceMember type that already models them.
- PBKDF2-derived workspace key, AES-GCM per blob
- Invited members replace demo impersonation
- Audit actor becomes the authenticated identity
- Phase 4Roadmap · ExploringSingle sign-on (OIDC, then SAML)
OIDC first — Entra ID, Okta, Keycloak — with SAML to follow. SSO is Enterprise-tier only. Team = EU-cloud sync; Enterprise = self-hosted Docker sync container plus SSO.
- OIDC: Microsoft Entra ID, Okta, Keycloak
- SAML 2.0 to follow
- Enterprise tier · self-hosted distribution
The encrypted workspace bundle you can already export from Settings is the wire format team sync will move. The encryption key is derived in your browser from a team passphrase; the planned sync service only ever sees ciphertext. That is what keeps the zero-knowledge promise verifiable — not a clause in a contract, but the format itself.
- 01Your workspace
APIs, mappings, scenarios, audit — all in your browser.
- 02Key in your browser
A team passphrase derives an AES-GCM key client-side. It never leaves the device.
- 03Encrypted bundle
The same versioned bundle Settings exports today — ciphertext, not content.
- 04RoadmapSync (roadmap)
An EU-hosted (or self-hosted) service that stores opaque blobs it cannot read.
Until sync ships, the bundle already collaborates: export it, commit it to git, or hand it to a colleague. Nothing about your API data has to touch a server to share it.
| Capability | Today Shipped | Team / Enterprise Roadmap |
|---|---|---|
| Where workspace state lives | This browser's localStorage — one device | Encrypted, synced across your team's devices |
| Sharing a workspace | Export an encrypted bundle, hand it over | Real-time shared workspace, members see live edits |
| Identities | Role impersonation in Settings (demo) | Invited members — e-mail + role, real audit actor |
| Sign-in | None — the app needs no account | SSO via OIDC (Entra ID / Okta / Keycloak), SAML later |
| Conflict handling | Replace / merge on import, with preview | Automatic merge — last-write-wins + append history |
| Where it runs | Entirely in your browser | EU-hosted, or self-hosted Docker for full residency |
We are onboarding a small group of design partners — integration consultancies and telco teams across the EU — to build sync and SSO with us, not at them. Design partners get direct roadmap influence, an engineer answering the e-mail, and early access the moment each phase is real.
No commitment, no fake live demo — just an honest conversation about what your governance review actually needs.